" password expiration" policy

jorge diaz
jorge diaz used Ask the Experts™
Picking your brain about password policy.

I was checking a few password management best practices and some of them discourage the "forcing users to change the password" policy, they advise that users change their passwords if they suspect it's been compromised. I still believe that forcing users to change their password coupled with other password policies can really make a password more secure. I was wondering if anyone out there  gave up on forcing users to change the password and what was the reason for that..

Thanks as always...
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Paul MacDonaldDirector, Information Systems

The idea behind forced password changes is that you don't always know when a password has been compromised.  The downside to constant changes is that people are much more likely to use easy-to-guess variations and/or write them down.  Encouraging people to have difficult-to-guess passwords reduces the need for constant changes.

I make my users change their passwords once a year.  This keeps passwords fairly fresh while not being onerous to the users.
Top Expert 2016
The use of longer passwords (Passphrase) is better than using a complex password.  Which is safer the password you keep in your head or one that is taped to the underside of your keyboard, in your pullout drawer or on a post it note on the monitor?
NIST Guidelines in a nutshell
A minimum of eight characters and a maximum length of at least 64 characters
The ability to use all special characters but no special requirement to use them
Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
Restrict context specific passwords (e.g. the name of the site, etc.)
Restrict commonly used passwords (e.g. p@ssw0rd, etc.) and dictionary words
Restrict passwords obtained from previous breach corpuses
Distinguished Expert 2017

no matter how secure the method you choose is, the issue is always with the USER.
whether it is a passphrase or a complex password or a combination there of. Unless you can guarantee the user does not put it on a piece of paper and pins it to the cubicle..

depending on the industry, going with two factor authentication?
Another consideration is any regulatory requirements, PCI for example still requires changing passwords every 90 days.  

Aside from that I am would be in favor of longer passwords with complexity and change when suspected compromise.  As mentioned by others changing passwords frequently opens the door to writing passwords down or other possible bad practices, such as a favorite word with incremented numbers.
thanks everyone for the comments. I agree with setting a password expiration policy, it was just surprising to me the  many best practices documents I read discourage that practice.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial